getfacl says my unprivileged account should be able to read the contents of a dir, but it can't?

[Stilez]

I'm probably missing something glaringly obvious..... but I can't see it.

The ACLs say I can list the contents of a directory in my pool, but I can't. I just can't see what it could be. Until I can fix this, I can't let other users access the file server so it's quite 'in the way'. Help very appreciated if anyone can suggest what's up and a fix!

Here's the getfacl output on the problem dir and its parent + grandparent:

# getfacl /mnt/data_dir/working_dir/
# owner: root
# group: wheel
group:data_managers:-w-pDd--------:-------:deny
everyone@:r-------------:-------:allow
group:data_managers:rwxpDda-R-c---:fd-----:allow
owner@:--------------:fd-----:allow
group@:--------------:fd-----:allow
everyone@:--x-----------:-d-----:allow

# file: /mnt/data_dir
# owner: root
# group: wheel
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow

# file: /mnt
# owner: root
# group: wheel
user::rwx
group::r-x
other::r-x

I try to access working_dir as the newly created account having the ACL issue. This account is not the owner of any relevant dirs, nor a member of wheel or data_managers, so its only rights stem from the "everyone (world)" permissions/ACLs.

$ su -f restricted_user
% id
uid=1100(restricted_user) gid=65533(nogroup) groups=65533(nogroup),4003(restricted_users)
% pwd
/mnt/data_dir/working_dir
% ls
ls: .: Permission denied

The world permission on that dir is everyone@:r ..... (inheritance downward to subdirs for x but not r). r should give worldwide rights to read the contents of working_dir. The account is not a member of data_managers and even if it was, no ACE (higher or lower) is denying r or x. The restricted account has read and traverse permissions on it and its parent and neither read nor traverse are denied in other ACEs. I can traverse to it. But I can't read its contents.

I looked at more global settings:

# zfs get all data_dir | grep acl
data_dir aclmode restricted local
data_dir aclinherit passthrough local

# zfs get all data_dir/working_dir | grep acl
data_dir/working_dir aclmode restricted local
data_dir/working_dir aclinherit passthrough inherited from data_dir

# mount | grep data_dir
data_dir on /mnt/data_dir (zfs, local, noatime, nfsv4acls)
data_dir/working_dir on /mnt/data_dir/working_dir (zfs, local, noatime, nfsv4acls)

Completely ordinary, nothing out of place.

What have I missed?

Note - this is crossposted: I unsuccessfully asked on a general Unix related site a while back, but it's still a complete puzzle and 'blocker' so I'm hoping for help here!

 

[Stilez]

Nudging for attention and help, please!
There isn't an easy way to debug if FreeBSD decides the ACLs don't work as you think they ought to :)

 

[dlavigne]

Were you able to figure this out?

 

[Stilez]

Were you able to figure this out?

No - nudging again for anyone who can help find an answer?

 

[Stilez]

Posting this for anyone else affected. It now looks like this is probably a FreeBSD ACL evaluation bug, so I've posted a bug report on the FreeBSD bug tracker for it: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228538

 

[toadman]

Thank you for posting that link. These types of bugs are frustrating!